Skip to main content
purple hex pattern

A message from our CEO, Todd Wilkinson

Read a message from our CEO, Todd Wilkinson, on our commitment to the public TLS certificate market, and view our TLS Certificate Information Center for more resources.

Public and Private Trust in the World of PKI

Publicly trusted TLS/SSL certificates are used for public-facing website projects (e.g., websites, landing pages, microsites, etc.) and are needed in order to avoid browser warnings.

Trust is key to the usefulness of public TLS/SSL certificates. In the public trust model, the trust in each browser – Safari, Chrome, Microsoft, Mozilla, and Firefox, and in most cases, operating system vendors – Windows OS X, Apple iOS, and Android – is anchored by the root certificates provided by each authorized certification authority (CA).

With private trust, each individual or organization makes their own trust decisions to augment those made on their behalf by the browsers. They do this by adding specific private roots into the trust store used by their browser. This will cause the browser to trust certificates that are chained to the private root. CAs can establish and manage their own certificate policies for private certificates, providing more flexibility for internal IT environments.

What are the use cases for public trust TLS/SSL certificates?

Website Security: Encrypting data transmitted between a user’s browser and a web server, protecting sensitive information like passwords and credit card numbers.

E-commerce: Securing online transactions and user data, ensuring trust in payment processes.

APIs: Securing data exchanges between services and applications, ensuring secure communication in web services.

Authentication: Verifying the identity of users and devices accessing services, enhancing overall security. These certificates help establish trust and secure communications across various digital platforms.

What are the use cases for private trust TLS/SSL certificates?

  • Machine Identity: Providing security and trust of machines by establishing trust with high-assurance, certificate-based identities.
  • IoT Device Communication: Securing communications between internal IoT devices or applications that do not require public exposure.
  • Internal Websites and Applications: Private certificates can secure communications within internal websites and applications. For example, a company might leverage private certificates to enable HTTPS on an internal employee portal, like HR or finance systems, where sensitive data is exchanged.
  • VPNs: Private certificates can be used for client and server authentication in a VPN scenario. This ensures that only trusted devices with the appropriate private certificate can connect to the corporate VPN.
  • Inter-Organizational Communication: Partner companies can manually configure their systems to accept each other’s private certificates.
  • Development and Testing: Allowing developers to create and test applications in a secure environment without the need for public certificates.
  • API Security: Protecting internal APIs, ensuring that only authorized services communicate securely without external validation.
  • Custom Solutions: Supporting specialized applications that require tailored security solutions, like proprietary software or platforms. Private trust certificates enable organizations to manage security internally without the need for external certificate authorities, while still ensuring data protection and integrity.

Should I use public trust certificates for a use case that's considered private trust?

While public trust certificates can be used for private use cases, it might require more operational overhead, as certificates would need to be replaced more frequently due to shortening certificate lifespans. This approach may be time- and cost-prohibitive without lifecycle automation capabilities.

CA/Browser Forum logo

Certification Authority Browser Forum (CA/B Forum)

The CA/Browser Forum is a voluntary organization of certificate issuers and suppliers of internet browser software and other applications that use certificates (certificate consumers). As a founding member of the Forum, Entrust actively contributes to developing industry standards known as Baseline Requirements, for the issuance and management of publicly trusted certificates.

The CA/Browser Forum is responsible for implementing new rules and policies that certification authorities (CAs) like Entrust must adhere to, as well as establishing regulations for CAs and their audits by third-party programs such as WebTrust and ETSI. In addition to the Forum, rules come from browser root program policies from browsers such as Mozilla, Microsoft, Apple, and Google. CAs must undergo annual audits to ensure they comply with standards, and the audit reports are shared with browsers. Any issues found must be addressed, potentially leading to certificate revocation. The Forum, as a standards-issuing body, does not enforce requirements and lacks the authority to make exceptions.

The requirements of the CA/Browser Forum evolve in response to the changing threat landscape and new technologies, and the organization enforces these requirements, with certificate consumers such as web browser vendors and email clients playing a crucial role. While not all changes originate from the Forum, they eventually become adopted, as CAs such as Entrust must adhere to them to retain support in relying party software.

Validity Periods

The CA/Browser Forum establishes TLS/SSL certificate validity periods through a member voting process outlined in its governing bylaws. Since Sept. 1, 2020, maximum certificate validity is 397 days, or approximately 13 months. The upcoming introduction of a 90-day or even 45-day certificate lifespan, as per Apple’s recent proposal, will be a significant shift for many organizations because it makes visibility, control, and automation more critical. Read our blog post and watch our webinar to learn about recommended next steps and how to plan your strategy before shorter certificate lifespans become the norm, with automation playing a crucial role in supporting this transition.

Revoking Certificates

The Baseline Requirements of the CA/Browser Forum establish a timeframe for revoking mis-issued certificates, which can be either 24 hours or five days, depending on the specific situation. The CA is obligated to conduct a thorough investigation of the reported issue and provide a preliminary report to both the subscriber and the reporting entity. After the investigation, the CA will work with the subscriber and any relevant parties to determine whether the certificate should be revoked and, if necessary, establish a revocation date. The CA is typically able to address the issue with minimal impact on organizations. A subscriber should be prepared to respond quickly to a CA’s request to revoke the certificate in a short timeframe to avoid any service disruptions.

Certificate Lifecycle Management (CLM)

Take the guesswork out of certificate lifecycle management

Discover, manage, and automate all certificates throughout your organization using an end-to-end, scalable certificate lifecycle automation solution. Take advantage of the simplicity and flexibility of our management portal that allows you to:

  • Find unknown TLS/SSL certificates associated to your organization with our Discovery+ suite of tools and keep track of them from one centralized location
  • Manage public and private certificates, regardless of issuing CA, from a single dashboard
  • Streamline domain verification to the click of a button, after one-time setup with self-service that automates domain verification for you
  • Automate certificate installation, deployment, and renewals from a simple, cloud-based platform
  • Get insight with comprehensive real-time reporting and alerts to help maintain regulatory compliance and protect against unexpected certificate expiry
  • Benefit from integration with third-party vendors, including ServiceNow, Venafi, Ansible, and Microsoft Azure

Certificate Automation

The Entrust solution provides customers with a variety of options for automating the certificate issuance and management processes:

  • Automate your certificate issuance using the Entrust proven REST API, our industry standard ACMEv2 service, or by leveraging CLM platforms such as the Entrust Certificate Services platform or Certificate Hub.
  • Simplify the process of continuously proving control of your organization’s domains by automating it separately using our REST API or our industry-first ACMEv2 preauthorization support. Customers also have the option to verify domains when issuing certificates on the fly via ACMEv2.
  • Automate renewals and handle early emergency certificate revocations automatically with ACME Renewal Information (ARI).
  • Know when automated processes may have stumbled, with monitoring, alerts, and notifications so you can be confident your certificates and domains are kept up to date, avoiding outages and operations emergencies.
Featured Report

Entrust firmly positioned as a market leader in Frost Radar analytics

Frost & Sullivan's latest Global Holistic TLS Certificate Market report provides a comprehensive overview of the market and its CAs. Their Frost Radar™ benchmarking system evaluates CAs using a growth index and an innovation index, both of which take many factors into account. Entrust was ranked as one of the fastest-growing CAs globally and a leader in innovation.

frost and sullivan frost radar case study